Long life to Kelihos!

Carl Leonard |
March 8, 2012

We could say much more about the Kelihos botnet.

During the past months, the spam engine Kelihos has attracted the attention of many people, including security company researchers and analysts. Very interesting also was the recent official Microsoft response where has been confirmed a new generation of Kelihos variants derived from the previous. The Websense Security Labs Spam Trap system has detected a variant of Kelihos that is apparently still active.

We focused our research on trying to uncover the Kelihos command and control infrastructure and P2P network, along with some features of the botnet that we could recognize, including enhancements. The first interesting thing we noticed was in a sample of the network traffic generated by the bot before it starts its spam activity.

We detected encrypted traffic between the "infected" host and the IP addresses. The server contacted by the bot answers with another encrypted network stream. Before the bot starts to generate spam, it contacts another IP address.

We saw that the "User-Agent" header string specifies a dodgy user agent, and that the traffic between the URL requested by the bot and the contacted server seems to be encrypted. Our investigation found that the last stream received by the bot is the configuration information that permits it to begin generating spam. This information includes the targeted countries, a list of recipients, a template for the email body, and a list of MX records needed to start the campaign.

From the statistic analysis of this binary (MD5 021EC96775A37AE92680C076295D5991), we can confirm that the new generation of Kelihos uses an encryption mechanism based on Blowfish. Using some of our tools of the trade, we reversed the binary and detected evidence of a statically linked instance of the cryptographic open source library called Crypto++.

This knowledge permitted us to start a more detailed investigation using a reverse engineering process. After we observed that the first IP address contacted by the bot was changed using a non-apparent criterion, we started to understand where that IP address was retrieved. We were unable to retrieve anything from a memory dump during the bot's runtime.

However, a review of the memory contents revealed that some "hard coded" information in the bot was protected by a sort of in-memory mechanism based on encoding and encryption. In other words, the vital parameters that allow this bot to exist were not easily detectable because they were located in an area of the code where custom obfuscation was applied.

When we looked for some IP addresses in memory, we detected the code routine used to decrypt the IP addresses (probably all compromised hosts). More investigation of Kelihos spam activity revealed that this botnet is involved in several malicious campaigns.

Our Websense ThreatSeeker network can detect this spam activity and block the communication between the Kelihos bot and its command and control and peers structure.

During our investigation, we also detected and trapped the email messages generated by the Kelihos bot and it revealed that the campaign is targeted primarily for European and USA email addresses